Ask Ars: Where should I store my passwords?

Ask Ars takes a look at the best practices for using a password-keeping …

Ask Ars was one of the first features of the newly born Ars Technica back in 1998. And now, as then, it's all about your questions and our community's answers. Each week, we'll dig into our bag of questions, answer a few based on our own know-how, and then we'll turn to the community for your take. To submit your own question, see our helpful tips page.

Question: What are the best practices when using a password-keeping service, and what are the merits and disadvantages of local vs. cloud-based password storage?

With every website requiring users to register a password-protected account to see its content, password management systems have become very popular. We probably don't need to tell you that one of the most popular strategies for managing passwords—using the same password for every account—is a terrible thing to do.

Because of this, password-keeping programs have been making gains, but using one can be dangerous to your privacy if done incorrectly There are certain features and practices that will keep your logins more secure, so we'll go through a few different services and things you can do to crank up the security.

Most password keepers work by allowing you to store your login information, either locally or in cloud storage, and most also include a password generation feature that will create long strings of gibberish for you to use and then store. That information is encrypted, and then can be accessed by a master password that you set.

Already, there are some considerations here. All your passwords on different sites are like an anarchic society: unorganized, somewhat difficult to ruffle at once because they are unrelated (or they should be... that reminds us, again, don't use the same password for everything). Using a password-keeping service is like introducing a societal leader, your master password: everything is more organized and hierarchical, but someone only has to kill the emperor/shah/king to make the whole arrangement fall apart.

Therefore, step one of good password-keeper-using practices is "use a beastly master password," whether your keeper is in the cloud or on your computer. You probably can't fit an essay into that field, but if you could, we'd advise it. Short of that, make it long and completely nonsensical. Using an easy master password for your password keeper is like giving a chair to a security guard, and we've seen how that turns out.

The next issue that bears discussing is which storage is more secure: passwords stored on your computer, or in the cloud? On the one hand, you have complete control over the encryption of login data stored locally. If you wanted, you could make a hundred nested TrueCrypt volumes, each with three layers of 256-bit AES encryption, and save your passwords inside. This is unreasonable from a convenience standpoint, but if that's all that makes you feel safe we'd hardly stand in your way.

Most cloud storage services use one layer of 256-bit AES encryption. It's worth noting that even if someone stole your data from those servers, even with a ridiculous amount of computing power, it would take longer than the universe is old to crack the encryption; therefore, someone who wants at your data is far more likely to go after the password itself.

Still, it would take thousands of years to crack an 8-character password when checking both small and capital letters, spaces, and numbers. That's on a low-power computer, but the time it takes to crack a string of characters goes up exponentially the more characters you use. So again, use a long password and you can foil even the Watsons of today for long enough that you would probably decide on a whim to change your password before the password is solved.

Some cloud storage keepers have been making impressive showings in secondary features that can add an extra layer of security. For example, LastPass offers grid multifactor authentication, which requires you to print out a physical chart of numbers and letters and then enter corresponding digits along with your master password when you log in. Without the physical chart to reference, no one can log in.

Cloud password storage makes us a little nervous in that anyone anywhere can just start trying master logins. If this makes you uncomfortable, don't use it, or enable some of the physical multifactor authentication features like the grid authentication fingerprint scanning (separate dongle required). Of course, website logins in general have this problem, which is why it's a good idea to use the profferred generators in keeper programs to prevent someone from just guessing your password.

The convenience of cloud storage may be worth it to you, but there are ways to make locally stored password keepers more available, too—for example, putting KeePass or 1Password data on a thumb drive or in a Dropbox. If it's in a Dropbox, again, long, frequently changed passwords are your friends, as you are providing another point of access to your data.

Whichever way you choose to go, all your intricate-master-password-making can be for naught if you neglect practical considerations. It helps to set the service to log you out after a short time, do regular virus scans to keep out keyloggers and other data-harvesting viruses, and be extra careful on open networks. If possible, don't do any logging in to anything on them, especially not into your goldmine of a password keeping service.

If you must use your keeper on an open network, any keeper worth using will offer you a virtual keyboard option to enter your master password in case you are using a computer that may have been compromised or is being watched.

In my personal experience, the first big downside I ever discovered to password keepers was that they made it remarkably hard to use any account-based website from a smartphone. If this is something you need to be able to do, many big-name local storage programs like 1Password offer syncing through a (moderately expensive) app; a premium account with LastPass at $1 per month gets you access to iPhone and Android apps, plus service on a bevy of third-party browsers. Again, be wary of open networks.

After all these considerations, it may seem like it's OK to keep the same passwords forever, but it's still not advisable. The actual holders of your account, the websites themselves, may be storing your login information in plain text files and practically flying them from a flagpole on their back-end for all you know. So if you are using a password keeper, take advantage of never having to memorize a separate password for each site, and generate new ones frequently. This sounds like a pain, but it's just good Internet hygiene.